Do you have a responsible security disclosure program? There are definitely some issues with this approach.

Also, AWS SES is pretty cheap and easy to use, it provides 62k emails per month for free: https://aws.amazon.com/ses/pricing/

It's hard to compete with that.


The most common lifecycle of a resource flows from Creation, to Updates, to Deletion. When a resource is created access must be given to the user so that they can read and write to it afterwards. By default new resources in an application don’t imply access control. If creation is when access records are created, then reads and updates are when access records are verified. There are many examples of these in the available SDKs.

For Deletion an application must take special attention to handling updates and possibly removing permissions to a resource so that resource is freed for future…


It’s already old news at this point to be talking about two-pizza teams. You can find a myriad of articles on Google discussing what they are and why you want them. I’m going to be talking about the innovation in team management that supersedes two-pizza teams and that’s the wolf-pack team.

(Just a quick note here, I know that not all wolves form packs, nor are the packs they form most optimal in every situation, however…)

Having two-pizza team amounts to somewhere between 3 and 7 team members, where all aspects of the team are handled by that team. It…


Just writing down my list of things that are problematic with TF. While you don’t have agree, it’s good to put the list down and begin that conversation.

  • Suggested formatting rules => bad for vcs diffs
  • doesn’t support multiple environments well
  • doesn’t support conditional expressions well
  • syntax is over complicated (makes it also very easy to do the wrong thing)
  • docs are highly inconsistent with actual platform terminology
  • docs are riddled with Warnings and notes: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  • abuses parameters to do different things making it easy to get it wrong
  • logging is verbose but unhelpful
  • easy to get a provider or…


Capitol building cybersecurity vulnerabilities
Capitol building cybersecurity vulnerabilities
US Capitol building (Washington D.C.)

The importance of data security has not been left off anyone’s radar. And, in the wake of unauthorized access to the US Capitol building the approach for some is to wipe everything. Potentially malicious attackers on premise, able to access user data and user sessions left unlocked. The historical lack of sufficient technical experts in leading government areas have left reasonable controls out of the picture. The lack of attention to data security in some of the most critical areas results from a number of antiquated mindsets and overall deficit in talent.

The situation

However, many companies also find themselves, while not…


Being in a leadership position for a while now there are a couple of things that I can help point to. While there is some good advice in this post which could help, I first want to focus on the misconceptions:

Misconceptions

  • Years of experience does not equate to “Seniority”. It is a common mistake to associate these and for junior developers it may seem obvious to do so, but in reality there are a lot of aspects that are important for being a “Senior Software Engineer”. I’ll talk about them next. There is an adage of 1000 hours of practice…

Creating API authentication for an application
Creating API authentication for an application

Applications that provide first class APIs require more than simple authentication, they require api keys. API keys generated by your users allow their programmatic services to interact with your apis. These must be generated in a safe way and have different requirements than UI tokens.

In most cases with authentication, you’ll have JWTs to identify and authorize a user. These JWTs are coming from your authentication provider. Internally, you may also have api keys to authenticate your internal services from one to another. However having to authenticate users and service client differently causes issues:

  • Opaque api keys have no expiration…


Integrating applications with Oauth 2.0 identity providers
Integrating applications with Oauth 2.0 identity providers

Authentication more frequently works as identity aggregation. This means that it provides a central point to combine any number of user identity management or federated login providers in a single place. For example Google and Facebook login. Providing a solution that works with just one is easy, but to support both and then normalize the data, this becomes more complex.

Providers such as Authress normalize these providing standard OIDC complaint JWTs which includes secure session management.

In this guide we’ll use Google login as an example of how to connect. Setting up authentication requires the following parts:

  1. Custom Domain
  2. Authress-Google…


Unlocking JWT security in web apps
Unlocking JWT security in web apps

Securing a web application or api requires actually validating the access token that is being used. When using JSON web tokens (JWTs), there are two mechanisms for doing this. But the core of the solution requires inspecting that JWT, understanding who the authority is, and using that authority for verification.

The properties or fields in a JWT are called claims. JWTs contain an ISS claim. This is the Issuer. The issuer is the authorization server (AS) which is marked by the issuer. As such the AS provides a full document about how JWTs are constructed and how to verify them…


Keep your application secure
Keep your application secure

Implementing data security within application can be done with various access control strategies. The access control determines if a given user is allowed to perform a particular action on a requested resource. Do they have access to see the data, make updates, or delete it? The answer to that lies within your access control policies. There are different ways to implement security each with its own benefits and detractors. Finding the right one for your application can be the difference between happy users with secure, private data, and a disastrous data breach.

Depending on the types of applications or services…

Warren Parad

CTO and Founder at Rhosys, where we use AI security to protect applications. I share how to continually innovate and stay ahead in the technology domain.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store